Automate SSL renewals for our ScreenConnect (Windows)
Posted by triadmin@reddit | sysadmin | View on Reddit | 8 comments
Hey everyone, looking for advice on the best way to fully automate SSL renewals for our ScreenConnect server.
Right now our setup is:
- ScreenConnect hosted on a Windows Server in AWS
- We purchase a new SSL certificate manually every year
- We manually install and bind the cert ourselves
We want to get rid of the yearly manual process and have renewals happen automatically with as little hands-on work as possible.
I am looking for recommendations that fit this type of environment, and ideally step-by-step guidance on how to set it up.
A few specific questions:
- What is the best approach for ScreenConnect on Windows in AWS?
- Should we be using Let’s Encrypt, AWS Certificate Manager, ACME, or something else?
- What tools or scripts are people using to automatically renew and re-bind the cert for ScreenConnect?
- Is there a reliable way to handle the binding without breaking access during renewal?
- Are there any gotchas specific to ScreenConnect on Windows Server?
If anyone has a similar setup running successfully, I would really appreciate a practical walkthrough of how you built it.
Thanks.
jono_white@reddit
Normally i manually import it every time letsencrypt renews, but just gave it a whirl then , (powershell)
Using certifytheweb for auto cert creation, just needs to be run as a task
$hostname = 'x.x.com';
$certhash = dir cert:localmachine\my | where {$_.Subject -eq "CN=$($hostname)"} | select -last 1 | select-object -ExpandProperty Thumbprint
Write-Host $certhash
netsh http update sslcert ipport=0.0.0.0:443 certhash=$certhash appid='{00000000-0000-0000-0000-000000000000}'
-Seems to do the trick for me
disclosure5@reddit
Note that certifytheweb is not free for business use.
jono_white@reddit
Should hopefully work the same with win-acme which is free , i just had an older version of ctw community before they made licencing strict for businesses, will probably migrate soon as theres not much point purchasing a licence for a single system, will update the script later on if theres any differences for win-acme
jono_white@reddit
Just converted to win-acme, powershell script just needs to change from cert:localmachine\my to cert:localmachine\webhosting , (and pick the localmachine cert store in winacme).
will have to wait for a few months to make sure it renews without issue, but looks promising
fp4@reddit
I use a reverse proxy with IIS to the 8040 port.
topher358@reddit
Simple-acme may be worth a look
kb0ykov@reddit
Just use acme-win, lol. You are using AWS but you don't know how to perform super basic sysadmin tasks.
Hot-Cress7492@reddit
Let me be honest with you. Connectwise will never make this easy for you because then it keeps you from moving to their hosted platform and paying more.
Seeing as their platform architecture doesn’t follow any sort of modern architecture, my opinion is that you’re going to have to make a hacky solution that will likely break as they modify their code.
Unfortunately, SC is awesome, but their business model is to extort more money from you…